CVE-2013-1399
https://notcve.org/view.php?id=CVE-2013-1399
Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) node request management, (2) live management, and (3) user administration components in the console in Puppet Enterprise (PE) before 2.7.1 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors. Múltiples vulnerabilidades de CSRF en los componentes (1) gestión de solicitudes de nodo, (2) gestión viva y (3) administración de usuario en la consola en Puppet Enterprise (PE) anterior a 2.7.1 permiten a atacantes remotos secuestrar la autenticación de víctimas no especificadas a través de vectores desconocidos. • https://puppetlabs.com/security/cve/cve-2013-1399 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2013-4966
https://notcve.org/view.php?id=CVE-2013-4966
The master external node classification script in Puppet Enterprise before 3.2.0 does not verify the identity of consoles, which allows remote attackers to create arbitrary classifications on the master by spoofing a console. El script maestro de clasificación de nodo externo en Puppet Enterprise anterior a 3.2.0 no verifica la identidad de consolas, lo que permite a atacantes remotos crear clasificaciones arbitrarias en el maestro mediante la falsificación de una consola. • http://puppetlabs.com/security/cve/cve-2013-4966 http://www.securitytracker.com/id/1029873 • CWE-287: Improper Authentication •
CVE-2013-4971
https://notcve.org/view.php?id=CVE-2013-4971
Puppet Enterprise before 3.2.0 does not properly restrict access to node endpoints in the console, which allows remote attackers to obtain sensitive information via unspecified vectors. Puppet Enterprise anterior a 3.2.0 no restringe debidamente acceso a Endpoints de nodo en la consola, lo que permite a atacantes remotos obtener información sensible a través de vectores no especificados. • http://puppetlabs.com/security/cve/cve-2013-4971 http://www.securitytracker.com/id/1029873 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2013-4969
https://notcve.org/view.php?id=CVE-2013-4969
Puppet before 3.3.3 and 3.4 before 3.4.1 and Puppet Enterprise (PE) before 2.8.4 and 3.1 before 3.1.1 allows local users to overwrite arbitrary files via a symlink attack on unspecified files. Puppet anteriores a 3.3.3. y 3.4 anteriores a 3.4.1 y Puppet Enterprise (PE) anteriores a 2.8.4 y 3.1 anteriores a 3.1.1 permite a usuarios locales sobreescribir ficheros arbitrarios a través de un ataque de enlaces simbólicos en ficheros no especificados. • http://puppetlabs.com/security/cve/cve-2013-4969 http://secunia.com/advisories/56253 http://secunia.com/advisories/56254 http://www.debian.org/security/2013/dsa-2831 http://www.ubuntu.com/usn/USN-2077-1 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVE-2013-4965
https://notcve.org/view.php?id=CVE-2013-4965
Puppet Enterprise before 3.1.0 does not properly restrict the number of authentication attempts by a console account, which makes it easier for remote attackers to bypass intended access restrictions via a brute-force attack. Puppet Enterprise anteriores a 3.1.0 no restringe el número de intentos de autenticación apropiadamente a traves de consola, lo que permite a un atacante remoto sortear las restricciones de acceso a traves de ataques de fuerza bruta. • http://osvdb.org/98640 http://puppetlabs.com/security/cve/cve-2013-4965 • CWE-287: Improper Authentication •